API Token Creation for Authentication in Laravel 5.2

In this article, I will discuss Laravel API token authentication, a very important topic in web app and website security. I will demonstrate the basis of API token authentication and how easily you could implement the idea in your project.

What is API Token Authentication

The traditional process of interacting with a website is that you login from the login page. Next, you perform you desired actions and then log out. However, in the case of REST API, the process is quite different. The traditional procedure does not work in the case of RESTful APIs because the methods used on login page does not make any sense. You need to use api_token instead.

All you need to do is to append the api_token to the query string before making a request and the request is authenticated.

Now what Laravel 5.2 offers is quite interesting! You can easily implement this idea using the TokenGuard library of Laravel.

To demonstrate the idea, I will make a simple application, in which users can register themselves, and by using their api tokens, will try to post some data into the database. If Laravel API Guard allows the token, the data will be posted to the database. If the token is rejected, an exception is thrown.

Prerequisite

For the purpose of this article, I assume that

You have a Laravel 5.2 app on a Cloudways managed server. If not, sign up now and create a host it for free.

You have executed the following command in the public_html directory of the app

Create the Database

The first order of business is the creation of the database for the users where the user generated would be posted. This database would be named notes. The users could post data to this database using API and API tokens. These tokens are randomly generated. I will use artisan to create this database.

In the folder public_html/database/migrations, create this file below. This file will create the user database once I instruct artisan later on.

I have used the auth middleware for protecting the routes from unauthenticated users. By appending :api, I am simply telling Laravel to switch to the api guard, which is set up in the config/auth.php.

Another important benefit of wrapping the routes in the middleware, the users accessing the API must present the api_token along with the request. Without the api_token, the user will receive specific error.

Make the Controllers

The next step is the creation of controllers.

First, I will make a slight change in the auth controller residing inside the public_html/app/Http/Controller/auth/

Testing the App

The app is finished and it is now time to check the functionality of the app. The first step is to register a user. To do this, visit the URL of the application.

Once registered, get the api_token for the user. For this, launch the Database Manager from Application Access Detail page of the Platform. Once launched, you could see the new user and the associated api_token. Copy this token to a text file.

You can change the api_token and you will see that you will be directed to the login page instead of the result.

Conclusion

In this tutorial, I demonstrated how you could use api_token for setting up secure communication within your app. The complete code of the app is located here. If you would like to clarify a point discussed above or would like to extend the conversation, please leave a comment below.